Skip to content

LTECH-532: Override tomcat-embed to 11.0.22 to patch CVEs#71

Merged
damienpalacio merged 1 commit into
mainfrom
LTECH-532/bump-tomcat-11.0.22
Jun 9, 2026
Merged

LTECH-532: Override tomcat-embed to 11.0.22 to patch CVEs#71
damienpalacio merged 1 commit into
mainfrom
LTECH-532/bump-tomcat-11.0.22

Conversation

@damienpalacio

@damienpalacio damienpalacio commented Jun 9, 2026

Copy link
Copy Markdown
Member

Summary

  • Spring Boot 4.0.6 manages tomcat-embed-core 11.0.21, which is affected by 7 open Dependabot advisories (3 CRITICAL, 3 HIGH, 1 LOW).
  • Pin tomcat.version to 11.0.22 (the first patched release) via the Spring dependency-management property, forcing all three embedded tomcat modules to the patched version.

Resolves the following GitHub Security Alert tickets:

  • LTECH-523 — Digest authenticator authenticates any unknown user (CRITICAL)
  • LTECH-524 — LockOutRealm case-sensitive user names (HIGH)
  • LTECH-525 — WebSocket authentication header exposure (HIGH)
  • LTECH-526 — HTTP/2 request headers not validated (CRITICAL)
  • LTECH-527 — Unbounded read in WebDAV LOCK/PROPFIND (HIGH)
  • LTECH-532 — Security constraints not correctly applied (CRITICAL)
  • LTECH-533 — AJP secret compared in non-constant time (LOW)

Test plan

  • ./gradlew dependencies confirms tomcat-embed-core/el/websocket all resolve to 11.0.22
  • ./gradlew build (compile + tests) passes

🤖 Generated with Claude Code

@damienpalacio @claude
LTECH-532: Override tomcat-embed to 11.0.22 to patch CVEs
c0ba67e 
Spring Boot 4.0.6 manages tomcat-embed-core 11.0.21, which is affected
by 7 Dependabot advisories (LTECH-523/524/525/526/527/532/533),
including 3 CRITICAL. Pin tomcat.version to 11.0.22, the first patched
release, via the Spring dependency-management property.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@damienpalacio damienpalacio marked this pull request as ready for review June 9, 2026 15:23
@damienpalacio damienpalacio requested a review from a team as a code owner June 9, 2026 15:23
@damienpalacio damienpalacio requested a review from akos-hrvth June 9, 2026 15:23
@damienpalacio damienpalacio merged commit 22532ed into main Jun 9, 2026
4 checks passed
@damienpalacio damienpalacio deleted the LTECH-532/bump-tomcat-11.0.22 branch June 9, 2026 19:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@akos-hrvth akos-hrvth Awaiting requested review from akos-hrvth akos-hrvth is a code owner automatically assigned from getyourguide/ltech

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@damienpalacio